search for: remove_name

...type user_home_dir_t; type user_home_t; type var_log_t; class capability { sys_nice chown }; class file { append create execute execute_no_trans \ getattr ioctl link lock read rename setattr write unlink }; class dir { add_name getattr create read remove_name \ rename write search setattr rmdir }; class fifo_file { getattr write }; class filesystem getattr; class sock_file write; class unix_stream_socket { connectto getattr read write }; } #============= dovecot_t =============== allow dovecot_t home_root_t:fil...

...dovecot_auth_t; type postgresql_port_t; type dovecot_t; type var_t; type postfix_virtual_tmp_t; class tcp_socket name_connect; class file { rename read lock create write getattr link unlink open append }; class dir { read write create add_name remove_name }; } #============= dovecot_auth_t ============== #!!!! This avc is allowed in the current policy allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; #============= dovecot_t ============== #!!!! This avc is allowed in the current policy allow dovecot_t postfix_virtual_tmp_t:file {...

...xit 2, output="/var/amavis/tmp/amavis-20120930T154701-14709/parts/p002: Can't create temporary directory ERROR\n/var/amavis/tmp/amavis-20120930T154701-14709/parts/p001: OK" Here is an SE Linux failure message: Sep 30 15:54:53 (null) (null): audit(1349013293.978:90934): avc: denied { remove_name } for pid=19832 comm=clamscan name=clamav-9e9d055254e79e18d8f8592eeee57a53 ino=655768 dev=dm-0 scontext=system_u:system_r:clamscan_t:s0 tcontext=system_u:object_r:amavis_var_lib_t:s0 tclass=dir I had found two web pointer with this issue, but no solutions: Here is my solution, which is proposed t...

...onnectto; class tcp_socket { name_bind name_connect }; class file { rename execute read lock create ioctl execute_no_trans write getattr link unlink }; class sock_file { setattr create write getattr unlink }; class lnk_file { read getattr }; class dir { search setattr read create write getattr remove_name add_name }; } #============= clamd_t ============== allow clamd_t proc_t:file { read getattr }; allow clamd_t sysctl_kernel_t:dir search; allow clamd_t sysctl_kernel_t:file read; allow clamd_t var_t:dir read; allow clamd_t var_t:file { read getattr }; #============= dovecot_auth_t ==============...

...ort_t; > type dovecot_t; > type var_t; > type postfix_virtual_tmp_t; > class tcp_socket name_connect; > class file { rename read lock create write getattr link unlink > open append }; > class dir { read write create add_name remove_name }; > } > > #============= dovecot_auth_t ============== > > #!!!! This avc is allowed in the current policy > allow dovecot_auth_t postgresql_port_t:tcp_socket name_connect; > > #============= dovecot_t ============== > > #!!!! This avc is allowed in the current policy...

...link_sandbox: Link packages failed semodule: Failed! # cat nagios.te module nagios 1.0; require { type nagios_t; type sbin_t; type ping_t; type initrc_var_run_t; type var_t; type httpd_nagios_script_t; class dir { read write search add_name remove_name }; class fifo_file { write getattr read create }; class file { rename setattr read create write getattr unlink }; } #============= httpd_nagios_script_t ============== allow httpd_nagios_script_t var_t:fifo_file { write getattr }; allow httpd_nagios_script_t var_t:file { read getat...

...s : dir { getattr search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : dir { ioctl read write getattr lock add_name remove_name search open } ; [ samba_export_all_rw ] DT allow smbd_t non_security_file_type : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ samba_export_all_rw ] DT allow nmbd_t noxattrfs : file { ioctl read getattr lock open } ; [ samba_export_all_rw ] DT allow nmbd...

...again. I've done the usual- - grab a chunk of the audit.log that is relevant to all the actions that would be denied. - do 'cat audit.log | audit2allow -M amavis' to generate the module - amavis.te looks like: module amavis 1.0; require { class dir { add_name getattr read remove_name search write }; class file { create execute execute_no_trans getattr lock read rename unlink write }; class filesystem getattr; class lnk_file read; type amavis_t; type fs_t; type mqueue_spool_t; type sbin_t; type sendmail_exec_t;...

I have been getting the following on my new mailserver: Apr 7 10:17:27 z9m9z dovecot: dict: Error: mysql(localhost): Connect failed to database (postfix): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds before retry They go away when I setenforce 0. So I googled dovecot mysql selinux and the only worthwhile hit was:

...sesearch --allow -t samba_share_t | grep samba_share_t | grep ftp allow ftpd_t samba_share_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samba_share_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; allow ftpd_t samba_share_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; allow ftpd_t samb...

Gotta say, centos has been tough to install and get working. The anaconda installer makes large drive setups horridly tedious (especially if reinstalling a lot). Package selection seems a bit off... I did a virtualization package, no custom..did not install qemu, libvirt, and all attempts to do any virtualization failed due to non-installed packages. Then I decided to select all the

...-t samba_share_t | grep samba_share_t | grep ftp > allow ftpd_t samba_share_t : file { ioctl read write create getattr > setattr lock append unlink link rename open } ; > allow ftpd_t samba_share_t : dir { ioctl read write create getattr > setattr lock unlink link rename add_name remove_name reparent search rmdir > open } ; > allow ftpd_t samba_share_t : lnk_file { ioctl read write create getattr > setattr lock append unlink link rename } ; > allow ftpd_t samba_share_t : sock_file { ioctl read write create > getattr setattr lock append unlink link rename open } ; &...

Hi, Some time ago I wrote an introductory article about SELinux on my blog. I'm currently updating it for my new blog, and I found a curious change in SELinux policy. Here goes. For demonstration purposes, I'm using some static webpages, more exactly the default pages found in /usr/share/httpd/noindex, which I simply copied over to /var/www/html. As a first practical example, I'm

...dit(1250359786.574:34): avc: denied { write } for pid=5103 comm="named" name="tmp-XXXXtGN8y7" dev=dm-0 ino=28157362 scontext=user_u:system_r:named_t tcontext=user_u:object_r:named_zone_t tclass=file Aug 15 14:09:46 devserver21 kernel: audit(1250359786.579:35): avc: denied { remove_name } for pid=5103 comm="named" name="tmp-XXXXtGN8y7" dev=dm-0 ino=28157362 scontext=user_u:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir Aug 15 14:09:46 devserver21 kernel: audit(1250359786.579:36): avc: denied { rename } for pid=5103 comm="named&quot...

????????? ???????? ????? 2016-07-05 19:58: >> I need to have the tftpdir_rw_t and samba_share_t SELinux context >> on >> the same directory. >> >> How can we do this? Is it feasible to have more than one SELinux >> context? > > I don't think it's possible/feasible. > You'd probably need to add a new type and necessary rules to your

...d write }; class capability { sys_resource sys_ptrace }; class file { entrypoint open create relabelfrom relabelto getattr setattr read write append ioctl lock rename link unlink }; class lnk_file { getattr read }; class udp_socket name_bind; class dir { getattr setattr add_name remove_name search open read write ioctl lock }; } #============= httpd_t ============== allow httpd_t port_t:udp_socket name_bind; allow httpd_t proc_net_t:file { read getattr open }; allow httpd_t bin_t:file entrypoint; allow httpd_t passenger_t:process sigchld; allow httpd_t passenger_t:unix_stream_sock...

...00 euid=500 suid=500 fsuid=500 egid=12 sgid=12 fsgid=12 tty=(none) ses=4294967295 comm="deliver" exe="/usr/libexec/dovecot/deliver" subj=system_u:system_r:dovecot_deliver_t:s0 key=(null) node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231256667.462:5562): avc: denied { remove_name } for pid=7940 comm="deliver" name="dovecot.deliver..1231256667.7940.53f0f908f5a97712" dev=sda3 ino=852077 scontext=system_u:system_r:dovecot_deliver_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=jukebox.alleroedderne.adsl.dk type=AVC msg=audit(1231256667.462:5562):...